Decommissioned for years, Windows XP, 8, and Server 2003 get emergency update.

A day after a ransomware worm infected 75,000 machines in 100 countries, Microsoft is taking the highly unusual step of issuing patches that immunize Windows XP, 8, and Server 2003, operating systems the company stopped supporting as many as three years ago.

Further Reading

Microsoft also rolled out a signature that allows its Windows Defender antivirus engine to provide "defense-in-depth" protection. The moves came after attackers on Friday used a recently leaked attack tool developed by the National Security Agency to virally spread ransomware known as "WCry" or "WannaCrypt." Within hours, computer systems around the world were crippled, prompting hospitals to turn away patients while telecoms, banks, and companies such as FedEx were forced to turn off computers for the weekend.

The chaos surprised many security watchers because Microsoft issued an update in March that patched the underlying vulnerability in Windows 7 and most other supported versions of Windows. (Windows 10 was never vulnerable.) Friday's events made it clear that enough unpatched systems exist to cause significant outbreaks that could happen again in the coming days or months. In a blog post published late Friday night, Microsoft officials wrote:

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Further Reading

This is possibly the first time ever that Microsoft has issued a patch for a product decommissioned so long ago. While the company issued an emergency patch for Windows XP in 2014, it came the same week support for that version ended, making the exception seem less unusual. This time around, the emergency patches are being applied to OS versions that Microsoft stopped supporting as many as three years ago.

Crucial entry point still missing

Microsoft announced the patches around the same time it said it still doesn't know what the precise starting point was for Friday's WCry outbreak. One of the key questions circulating once Friday's viral outbreak appeared to be contained was how did the self-replicating worm first gain entry so it could go on to spread from vulnerable machine to vulnerable machine.

At least two security firms—FOX-IT here and CrowdStrike here—said spam that sent fake invoices to end users provided the crucial initial vector to seed the self-replicating attack, but none of the three companies have produced copies. Some researchers doubted a generic e-mail campaign could have been the sole initial vector without leaving a mountain of evidence that would have surfaced by now. In a blog post published Friday night, Microsoft officials wrote:

We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios we believe are highly possible for this ransomware family:

Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit

Infection through SMB exploit when an unpatched computer can be addressed in other infected machines

The blog post went on to say that the worm "executes massive scanning on Internet IP addresses to find and infect other vulnerable computers."

FOX-IT also said in its blog post that "there appear to be multiple infection vectors," but the post didn't elaborate. Maarten van Dantzig, a researcher with FOX-IT, said on Twitter here and here that he suspects e-mail was the initial vector for some, but not all, of the outbreaks. Researchers from Cisco Systems Talos group went even further, writing: "Our research does not yet support that e-mail was the initial infection vector. Analysis is ongoing."

Friday's attack could have been much worse, had the perpetrators not slipped up by failing to register an Internet domain that was hardcoded into their exploit as a sort of "kill switch" they could activate if they wanted to shut down the worm. That made it possible for a quick-acting researcher to register the domain and stop much of the attack just as it was gaining momentum.

A new attack could come at any time. Next time, defenders may not be so lucky. As Microsoft's blog posts makes clear, vulnerable machines aren't only a danger to themselves, but to the entire world at large.

Promoted Comments

Based on the effectiveness of this attack, there will be others just like it. None of the arguments here for why systems will be exposed and unpatched, legacy or otherwise, will matter. You can't argue or reason with malware.

If you don't take steps to shore up your security now, you should go buy some more bitcoin, I've the feeling you'll need it.

At least 2, possibly all 3 of the obsolete OS version patches were being produced by MS anyway for various business reasons; with the only notable part being that this virus outbreak was scary enough to convince Redmond to release them generally as opposed to only to the small market segments that they'd normally go to.

The XP patch at least was more or less a freebie for MS because they've still got an XP based product under support until 2019. (If for some obscene reason you need to keep an XP system running and networked, you can registry hack your way into getting OS patches for it this way.)

Server 2003 only went out of normal support in 2015; which means that MS is still selling patches for it under the custom support program. This is a program that sells OS patches for otherwise dead OS versions to enterprises willing to pay hundreds of dollars/machine/year (or more) for the privilege of not upgrading yet for as many as 3 more years.

The win 8.0 one might be a freebie to release as well; the odds are reasonably high that it's using the same code as 8.1 meaning that at most it only needed a QA run. And since 8.0 only had the plug pulled in Jan 2016, it might be available for custom support. But I haven't been able to find anything definitive about if MS is offering custom support agreements, or is refusing since 8.1 is officially a service pack not a new OS release.